Version 2.1
May, 2021
In this page we aim to provide a one-stop overview of our approach to data compliance, an easy way to contact our information officer should you wish to and provide details around our ongoing compliance efforts in line with, but not limited to, the GDPR and POPIA.
Have a question, query or complaint relating to data protection @ Stackworx?
Please send an email to information-officer@stackworx.io
Related content & references:
We are registered with the South African Information Regulator.
Registration Number: 8202/2021-2022/IRRTT
Download a copy of the Stackworx Registration Certificate
We are part of the Michalsons Data Protection Program.
An overview of how Stackworx (Pty) Ltd treats data protection compliance in line with the GDPR (General Data Protection Regulation as set out by the EU) & POPIA (Protection Of Personal Information Act as set out by South Africa)
Compiled by:
Directors & DPO of Stackworx (Pty) Ltd
As an organisation, we treat security and personal data with the utmost importance and appreciate that as a data processor we are often left to ensure data controllers are satisfied with the level of comfort we are able to offer them in an ever-changing legal landscape on the subject of personal data protection & information security.
We appreciate the fact that GDPR & POPI(A), and other related governing compliance regulations, frameworks and laws, are an ongoing effort and not a once-off checklist and as an organisation we can only provide assurances to the means and ways we process, handle, transfer and store data in line with these regulations.
The below outlines the core details of our efforts in compliance:
Currently, the data protection officer role is managed by the team of directors and can be reached on information-officer@stackworx.io.
As an organisation building international products and services, we are no stranger to ensuring that the appropriate security measures are put in place and maintained for projects of any size. More on this can be found in our dedicated document titled “Stackworx Compliance | Security & Hosting Overview” on request.
Business Data: business or organisation personal data for clients we work with is always treated as confidential and is shared on a need-to-know basis within the existing NDA/Confidentiality agreement. No personal data is made available publicly nor to internal Stackworx (Pty) Ltd employees unless explicitly required. Should a business relationship be terminated all personal data on a data processor can be returned on request and deleted from our records.
Project Data: project-level personal data is always obscured and not accessible unless explicit and controlled access has been granted only in cases that warrant such access. Furthermore, passwords (to access projects built by Stackworx (Pty) Ltd) are encrypted (using bcrypt hashing function to generate password hashes and only storing the hash) in such a manner that nor Stackworx (Pty) Ltd employees or any of its members including infrastructure and hosting personnel are able to decrypt these.
Business Data: all business-related data are being kept securely within Enterprise Google Drive and Enterprise Google Email, we as an organisation utilize the Google platform for all official business and commercial document storage & communication. Should a business relationship be terminated all personal information on a data processor can be returned on request and deleted from our records.
Project Data: all project-related data are being recorded and stored for a period in line with the retention strategy of every project and always follow a minimal personal data approach where we only ask for and store operational- or business-critical data. Where applicable records are being kept in a database, more details can be obtained in our dedicated document titled “Stackworx Compliance | Security & Hosting Overview” on request.
In accordance with https://gdpr-info.eu/art-33-gdpr/ we strive to take the following actions upon a data breach where there is any risk to the rights and freedoms of natural (or jurisdiction in line with POPIA) persons:
Furthermore, where not possible to provide all the above information at the same time it will be done in phases.
Stackworx (Pty) Ltd will as far as reasonable and within its power assist the data controller with communication and preparation thereof to data subjects as outlined in https://gdpr-info.eu/art-34-gdpr/.
To obtain a copy of our “Incident Response & Breach Management Policy” please send an email to information-officer@stackworx.io.
As a data processor we follow the principles as set out in https://gdpr-info.eu/chapter-2/ to ensure we capture, store and process personal data in line with being:
Outsourced work: as a general rule Stackworx (Pty) Ltd does not employ an outsourced or sub-contracting model and hence no individuals directly involved in project delivery are subcontractors of the data processor. Should there ever be an exception to this rule the required communication will be made with the data controller as prescribed by the GDPR.
Hosting: Stackworx (Pty) Ltd does, however, employ external 3rd parties for hosting services to bring solutions to market, in these cases, the chosen service providers are always made public knowledge to the data controller and various suppliers can be chosen from in line with any specific project or compliance requirements. More on this in our dedicated document titled “Stackworx Compliance | Security & Hosting Overview” on request.
As an organisation we strive towards better and continuous compliance and in an effort to do so we may from time to time point out to data controllers where their instructions or requests are not in line with general compliance and regulation.
Given that Stackowrx (Pty) Ltd’s head office resides in South Africa there is a need to transfer personal data to and from the EU to South Africa, every effort is made to limit this transfer to not include project-level personal data of data subjects of a particular project where it is also possible to facilitate the hosting of said personal data in an EU state complying with the GDPR regulations.
However, where personal data of a data subject is required by the project outlines and limitations to transfer cross-borders the GDPR guidelines outlined in https://gdpr-info.eu/art-46-gdpr/ are followed and data subjects are made aware of this where appropriate and relevant.
As the data processor Stackworx (Pty) Ltd will always ensure to assist the data controller as far as possible and reasonable, whether through system design and implementation or communication after-the-fact to adhere to the guidelines set out by the GDPR in https://gdpr-info.eu/chapter-3/ including:
Where it is required based on the project scope Stackworx (Pty) Ltd will assist in so far as ensuring that the data controller has a privacy policy in place and in line with the personal data the application is collecting and explaining the purpose of said personal data.
In line with https://gdpr-info.eu/art-7-gdpr/ Stackworx (Pty) Ltd as the data processor will ensure processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data.
As mentioned, personal data compliance is an ongoing effort and we treat it as such taking into account that for the scope of this document we perform the role of the data processor and is required to assist the data controller in their efforts to comply and ensure data subjects are comfortable with the manner in which their personal data is being obtained, stored and processed.
We, Stackworx (Pty) Ltd, do however acknowledge that compliance is a collection of efforts, policies, documentation and intent.
Have a question, query or complaint relating to data protection @ Stackworx?
Please send an email to information-officer@stackworx.io
Version 2.1
May, 2021
